Security Industry Waits to See The Impact on Their Jobs
As Ex-Uber CSO Heads to Trial, the Security Community Reels

Joe Sullivan, Uber’s former chief of security, faces criminal charges for his handling of a 2016 security breach. His trial this week has divided the security industry.

Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber.

“Everyone knew him; I was in awe, frankly,” said Renee Guttmann, who was the CISO for Coca-Cola and Campbell Soup. “
He was an industry leader.”

So it came as a shock to many in the community when Mr. Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Mr. Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company, which he left in July to focus on the trial.

AdvertisementBut the investigation into the incident at Uber continued, and in 2020, the same prosecutor’s office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Mr. Sullivan has pleaded not guilty to the charges.

Other chief security officers are following the case closely, worried about what it means for them.

“A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?”

After being charged, Mr. Sullivan
sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.

Some security officers are sympathetic to how Mr. Sullivan handled the security incident at the center of the criminal case, while others say it was clearly inappropriate. In 2016, according to a
criminal complaint Mr. Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers. Prosecutors accuse Mr. Sullivan of directing those responsible to the company’s bug bounty program, which Uber, like many companies, had set up as a financial incentive for third parties to report its security vulnerabilities.

Uber ultimately paid the hackers, two men in their 20s, $100,000 in Bitcoin and had them sign nondisclosure agreements, according to the criminal complaint. Uber did not disclose the incident to the public, nor did it inform the Federal Trade Commission, which was investigating the company for its privacy and security practices.

A member of Uber’s security team around that time, who spoke on the condition of anonymity, said he hadn’t been surprised when he heard about Mr. Sullivan’s indictment, given the aggressive, do-what-it-takes culture he experienced at the company.

Prosecutors have accused Mr. Sullivan of
obstructing justice and concealing a felony for not disclosing the breach or revealing it to the F.T.C. Mr. Sullivan’s spokesman said he could not discuss the case given the upcoming trial. Uber declined to comment.

Here's the Daily's previous coverage on the Uber case:

August 4, 2022: Fraud charges in hacking case against Uber ex-security chief are dismissed

July 26, 2022: Uber admits massive 2016 data breach coverup, cooperates with feds

April 28, 2022: Former Uber Chief Security Officer To Face Wire Fraud Charges

August 24, 2020: Watch: Former Uber CSO Charged With Covering Up 2016 Data Breach

August 21, 2020: Former Chief Security Officer For Uber Charged With Obstruction Of Justice

September 27, 2018: Uber Fined $148 Million for Breach Cover-Up

February 7, 2018
: Uber Paid Hackers $100K to Destroy Stolen Data on 57M people, Keep Quiet

December 1, 2017
: Three Uber security managers resign after CEO criticizes practices